#include <selinux/avc.h>
void avc_entry_ref_init(struct avc_entry_ref *aeref);
int avc_has_perm(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t requested,
struct avc_entry_ref *aeref, void *auditdata);
int avc_has_perm_noaudit(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t requested,
struct avc_entry_ref *aeref, struct av_decision *avd);
void avc_audit(security_id_t ssid, security_id_t tsid, security_class_t tclass, access_vector_t requested,
struct av_decision *avd, int result, void *auditdata);
avc_has_perm checks whether the requested permissions are granted for subject SID ssid and target SID tsid, interpreting the permissions based on tclass and updating aeref, if non-NULL, to refer to a cache entry with the resulting decision. The granting or denial of permissions is audited in accordance with the policy. The auditdata parameter is for supplemental auditing; see avc_audit below.
avc_has_perm_noaudit behaves as avc_has_perm without producing an audit message. The access decision is returned in avd and can be passed to avc_audit explicitly.
avc_audit produces an audit message for the access query represented by ssid, tsid, tclass, and requested, with a decision represented by avd. Pass the value returned by avc_has_perm_noaudit as result. The auditdata parameter is passed to the user-supplied func_audit callback and can be used to add supplemental information to the audit message; see avc_init(3).
After declaring an avc_entry_ref structure, use avc_entry_ref_init to initialize it before passing it to avc_has_perm or avc_has_perm_noaudit for the first time. Using an uninitialized structure will produce undefined behavior.
In permissive mode, zero will be returned and errno unchanged even if permissions were denied. avc_has_perm will still produce an audit message in this case.